Tweaks.com Forum / Windows & System Security / Security News and Software Updates & Definitions / Sober worm spreads like wildfire / Latest Posts

RE: Sober worm spreads like wildfire

quietman7 — Wed, 11 May 2005 14:30:53 GMT

[quote]Sober Worm Hides From AV Scanners
May 11, 2005
By TechWeb News

One of the reasons why the Sober.p worm continues to spread is because of the way it hides from some anti-virus scanners, a Russian security firm said Wednesday. Sober.p--also called Sober.s, Sober.o, and Sober.v by various anti-virus companies--includes a mechanism that prevents other programs from accessing its files, said Moscow-based Kaspersky Labs. That presents problems for some anti-virus software.

The tactic has been seen in previous Sobers, said Kaspersky, but it's been refined so that no applications, not even those running under a SYSTEM account, can access them. "If something can't be scanned, then malicious code can't be detected," Kaspersky said in an online alert. "This rules out the chance of Sober being detected while running an on-demand scan."

Instead, the anti-virus software must have the means to detect Sober running in memory, then kill those processes. "This is where some anti-virus programs are failing," added Kaspersky. "Either they don't have a memory scanner, or the scanner has limited functionality which isn't able to kill the processes."

Several anti-virus vendors have posted free detection and deletion tools, however, that are able to see through Sober's cloak of invisibility. Panda Software, for instance, offers QuickRemover. Microsoft's Windows Malicious Software Removal Tool, which was updated Tuesday as part of the regular monthly security bulletin release, also sniffs out Sober.p. [/quote]

Techweb.com

RE: Sober worm spreads like wildfire

quietman7 — Fri, 06 May 2005 20:29:16 GMT

[quote]The Sober.P worm is still spreading fast and made up almost 5 percent of all e-mail traffic on Friday morning, according to a U.K. antivirus company. Sophos said that the worm accounts for around 77 percent of all virus activity it is seeing. The company said the Sober variant is still spreading, even though large corporations appear to have patched the vulnerabilities that the virus uses to propagate...Sophos reported earlier this week that Sober.P appears to turn off Symantec's antivirus protection and the Microsoft Windows XP firewall, probably as a way of preparing computers to distribute spam and to spread itself wider.[/quote]

News.com

Sober worm spreads like wildfire

quietman7 — Wed, 04 May 2005 10:26:55 GMT

[quote]Sober worm spreads like wildfire
Published: May 3, 2005, 12:45 PM PDT
By Dawn Kawamoto
Staff Writer, CNET News.com

The latest Sober worm has spread rapidly in the past 24 hours and now makes up two-thirds of virus traffic on the Internet, according to security experts. Sober.P, first detected on Monday, now accounts for 77 percent of all viruses detected by Sophos's threat-monitoring stations worldwide, the British security company said on Tuesday. At the same time, Kaspersky Lab, a Russian maker of antivirus software designed to combat such threats, described the worm's spread in Western Europe as an "epidemic."

"This is a pretty significant virus. We usually don't see it spread to 77 percent of all inbound viruses," Gregg Mastoras, a senior security analyst at Sophos, said. "Usually, it spreads much slower, and users have time to update their computers."

Variants of Sober have been circulated since 2003 and have continued to hit corporate and home systems. The mass-mailing worm has continued to spread because people still open attachments in infected e-mail, despite warnings. The latest Sober offshoot, which has been tagged as Sober.N, Sober.O or Sober.S at other security companies, uses e-mail written in both English and German. One of its lures is a message saying the recipient has won free tickets to the 2006 World Cup soccer tournament. Once victims open the infected attachment, the virus harvests their e-mail addresses. The virus copies itself onto the user's computer and then sends a similar e-mail to the harvested addresses.[/quote]

News.com

Related article: Two variants of Sober worm infect PCs worldwide The attacks began yesterday, appear to be peaking today Computerworld.com